and we germans are a step ahead and the Government dismantled itself yesterday :D

binford2k: ikr :(

someone pointed towards this in another channel. I guess that would be the basis of the "security" argument in the blog post? https://adnanthekhan.com/2024/07/02/roguepuppet-a-critical-puppet-forge-supply-chain-vulnerability/

yup. Except that the vuln was a new Pune engineer who didn't take the time to understand the giant "don't use this" warning on docs for a github trigger. Now everyone who mitigated that problem is gone, and they're shipping all puppet dev work to..... Pune

what's Pune?

Pune, India

ah I see

so it sounds like we're gonna be moving on the upstream packaging real soon now https://overlookinfratech.com/2024/10/31/flutter-forking/

wow.. the vuln-post was a piece of interesing reading..

https://woodruffw.github.io/zizmor/ + https://github.com/synacktiv/octoscan might have helped there :)

100% ⬆️

I was working on said things when we parted ways

but it's interesting, that GH is such a big vector

(I might have broken Ansible Galaxy using it in the past whistle https://www.die-welt.net/2021/11/getting-access-to-somebody-elses-ansible-galaxy-namespace/)

vuln vector? Or factor in this announcement?

I mean… it obviously is a vector, but in more ways than "this hosts all our jewels"

vuln vector

Oh wow! I missed a lot yesterday :)

I'd be happy to missed some of those things 🙂

yeah..

all the concerns above are valid.. I'd add that I see no reason to use EULA'ed packages for 25 machines if there are community packages available (and are good enough). Which brings me to the question.. who are the users of this developer subscription/EULA at all? Why the hell to suffer with all the T&C just to have 25 OSS packages?

s/packages\?$/machines with "official" packages/

that idea is only viable if there are no community packages or those packages are bad in many ways (e.g. fragmented or some tooling (PDK) cannot be used with them)

which leads me to really dark thoughts

BUT.. Puppet will die w/o community very quickly.. it'll become PE-only and will be used in just few places.. then Perforce will sell it away/kill it because it worth no money paid to the developers and managers.

sooo... I hope there is 1-2 effective managers who want to pull as much money as possible before being fired who doing this

though.. there is one more reason I can foresee.. but it's conspirology mostly 🙂

They are not going to be pushing code changes to public repos regularly. So community packages will be sub par to their own and not have the same features.

So instead the more likely outcome is a fork and not community providing packages imo - or just death of the community

fork means someone else will sell it.. not Perforce.. 🙂